tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steve G. Johnson" <Johnson_Stev...@solarturbines.com>
Subject Re: SSLv3/TLS man-in-middle vulnerability
Date Tue, 19 Jan 2010 07:31:11 GMT
Mark,
Since we do not know how to "switch connectors", or install OpenSSL, and do
not have JDK on the server (only JRE 1.6.0_17), then I suppose the best bet
is to wait until Tomcat is fixed ("coming soon").



Steve Johnson (619) 237-8315 P Please consider the environment before
printing this e-mail.





                                                                           
             Mark Thomas                                                   
             <markt@apache.org                                             
             >                                                          To 
                                       Tomcat Users List                   
             01/18/2010 09:19          <users@tomcat.apache.org>           
             AM                                                         cc 
                                                                           
                                                                   Subject 
             Please respond to         Re: SSLv3/TLS man-in-middle         
               "Tomcat Users           vulnerability                       
                   List"                                                   
             <users@tomcat.apa                                             
                 che.org>                                                  
                                                                           
                                                                           
                                                                           



Caterpillar: Confidential Green                 Retain Until: 02/17/2010




On 18/01/2010 11:03, Steve G. Johnson wrote:
>
> We recently installed Tomcat 5.5.23 in Windows server to support the
Infor
> WebUI (webtop) application.
> We installed a cerificate and are using SSl on port 8443. This all works
> fine.
>
> The local IT Security team ran an HP "Web Inspect" and it showed a High
> vulnerability for SSLv3/TLS known as CVE-2009-3555.
> We are running JVM JRE 1.6.0._17 on the server.
> You state on the http://tomcat.apache.org/security-5.html site at end of
> page that this is not a vulnerability depending on a number of factors.
> This is very unclear tor us.
>
> The Web Inspect product sated that this must be fixed as follows:
> "
> Patches must be applied to the underlying web server and ssl library.
> OpenSSL Patch: http://www.openssl.org/source/openssl-0.9.8l.tar.gz
> Apache Mod-SSL Patch:
> http://www.apache.org/dist/httpd/patches/apply_to_2.2.14
> /CVE-2009-3555-2.2.patch
> These patches may cause issues with sites that require renegotiation.
> (Sites requiring public HTTPS access with certain folders
> protected by client-side certificates)
> "
>
> What can we do to make the vulnerability shown in Web Inspect go away?

You have a couple of options, depending on which connector you are using.

BIO & NIO connectors
 - use JSSE for SSL
 - JSSE is provided by the JDK
 - a fix will require a fix the JDK - talk to your JDK vendor
 - the next 6.0.x release (coming soon) will contain a workaround

APR/native connector
 - uses OpenSSL for SSL
 - OpenSSL is provided by the OpenSSL project
 - a fix requires a fix in OpenSSL
 - APR/native 1.1.19 includes a workaround for this issue

Right now, the quickest way to fix this is to switch to the APR/native
connector and use 1.1.19

Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message